Detections
Analytics
JUSX-DM-000105 - The Juniper SRX Services Gateway must use DOD-approved PKI rather than proprietary or self-signed device certificates.
Information
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs.The SRX generates a key-pair and a CSR. The CSR is sent to the approved Certification Authority (CA), who signs it and returns it as a certificate. That certificate is then installed.
The process to obtain a device PKI certificate requires the generation of a Certificate Signing Request (CSR), submission of the CSR to a CA, approval of the request by an RA, and retrieval of the issued certificate from the CA.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Generate a new key-pair from a DOD-approved certificate issuer. Sites must consult the PKI/PKI pages on the https://cyber.mil/ website for procedures for NIPRNet and SIPRNet.RSA:
request security pki generate-key-pair certificate-id <cert name> type rsa size <512 | 1024 | 2048 | 4096>
ECDSA:
request security pki generate-key-pair certificate-id <cert_name> type ecdsa size <256 | 384>
Generate a CSR from RSA key-pair using the following command and options.
request security generate-certificate-request certificate-id <cert_name_from_key_file> digest <sha1 | sha256> domain <FQDN> email <admin_email> ip-address <ip_address> subject 'CN=<hostname>,DC=<domain_part>,DC=<TLD_domain>,O=<organization>,OU=<organization_dept>,
L=<city>,ST=<state>,C=<us>' filename <path/filename>
Generate a CSR from ECDSA key-pair use the following command and options.
request security generate-certificate-request certificate-id <cert_name_from_key_file> digest <sha256 | sha384> domain <FQDN> email <admin_email> ip-address <ip_address> subject 'CN=<hostname>,DC=<domain_part>,DC=<TLD_domain>,O=<organization>,OU=<organization_dept>,
L=<city>,ST=<state>,C=<us>' filename <path/filename>
If no filename is specified, the CSR is displayed on the standard out (terminal)
After receiving the approved certificate from the CA, enter the following command and options to upload the certificate.
request security pki local-certificate certificate-id <cert_name_from_key_file> filename <path/filename_of_uploaded_certificate>
From the operational mode of the hierarchy:
set security certificates local new load-key-file /var/tmp/new.pem
Type the following command to load the X.509 certificate into the certificate store in operations mode.
>request security pki local-certificate load certificate-id <ID> filename <PATH TO CERTIFICATE FILE>
For this example, assume the transferred the X.509 certificate called 'device-cert.crt' to the /var/tmp directory on the SRXD. The following command will load the device-cert.crt certificate file and associate it with the public/private keypair named 'device-keypair' generated in a previous step.
>request security pki local-certificate load certificate-id device-keypair filename /var/tmp/device-cert.crt
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_SRX_SG_Y24M07_STIG.zip
Item Details
Audit Name: DISA Juniper SRX Services Gateway NDM v3r1
Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|CM-6b., 800-53|SC-17, CAT|II, CCI|CCI-000366, CCI|CCI-001159, CCI|CCI-004068, Rule-ID|SV-223207r997572_rule, STIG-ID|JUSX-DM-000105, STIG-Legacy|SV-80983, STIG-Legacy|V-66493, Vuln-ID|V-223207
Plugin: Juniper
Control ID: d9a6fd632bb2a994768117d654b74deffe193e6b6aaca31120b4ab58c9aec53f